Closed Bug 1629575 Opened 4 years ago Closed 4 years ago

InvalidArrayIndex_CRASH @ nsGridContainerFrame::LineNameMap::GetLineNamesAt

Categories

(Core :: Layout: Grid, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla78
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- fixed
firefox78 --- fixed

People

(Reporter: marcin.noga, Assigned: alaskanemily)

References

(Regression)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

Steps to reproduce:

Load attached Grid_layout_GetLineNamesAt.html file in firefox.

Actual results:

AddressSanitizer:DEADLYSIGNAL

==40594==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fca22015520 bp 0x7ffe3280fc20 sp 0x7ffe3280fc20 T0)
==40594==The signal is caused by a WRITE memory access.
==40594==Hint: address points to the zero page.
#0 0x7fca2201551f in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:332:3
#1 0x7fca2201551f in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:27:3
#2 0x7fca2acf5a59 in nsTArray_Impl<mozilla::SmallPointerArray<mozilla::StyleOwnedSlice<mozilla::StyleCustomIdent> const>, nsTArrayInfallibleAllocator>::ElementAt(unsigned long) const /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1208:7
#3 0x7fca2acf05c6 in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1237:12
#4 0x7fca2acf05c6 in nsGridContainerFrame::LineNameMap::GetLineNamesAt(unsigned int) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1804:29
#5 0x7fca2acf0324 in nsGridContainerFrame::LineNameMap::HasNameAt(unsigned int, nsAtom*) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1752:28
#6 0x7fca2acf0218 in nsGridContainerFrame::LineNameMap::Contains(unsigned int, nsAtom*) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1726:51
#7 0x7fca2acef8e8 in nsGridContainerFrame::LineNameMap::FindLine(nsAtom*, int*, unsigned int, nsTArray<unsigned int> const&) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1661:11
#8 0x7fca2ac7432a in nsGridContainerFrame::LineNameMap::FindNamedLine(nsAtom*, int*, unsigned int, nsTArray<unsigned int> const&) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1517:14
#9 0x7fca2ac734e2 in nsGridContainerFrame::Grid::ResolveLine(mozilla::StyleGenericGridLine<int> const&, int, unsigned int, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalSide, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3800:23
#10 0x7fca2ac74681 in nsGridContainerFrame::Grid::ResolveLineRangeHelper(mozilla::StyleGenericGridLine<int> const&, mozilla::StyleGenericGridLine<int> const&, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalAxis, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3879:13
#11 0x7fca2ac74e2c in nsGridContainerFrame::Grid::ResolveLineRange(mozilla::StyleGenericGridLine<int> const&, mozilla::StyleGenericGridLine<int> const&, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalAxis, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3923:16
#12 0x7fca2ac7510a in nsGridContainerFrame::Grid::PlaceDefinite(nsIFrame*, nsGridContainerFrame::LineNameMap const&, nsGridContainerFrame::LineNameMap const&, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3951:7
#13 0x7fca2ac7a7dc in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4381:9
#14 0x7fca2ac9de5b in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7438:12
#15 0x7fca2ab1e5a5 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:293:11
#16 0x7fca2ab1535d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3804:11
#17 0x7fca2ab11ccb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3151:5
#18 0x7fca2ab08b94 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2689:7
#19 0x7fca2ab01951 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1401:3
#20 0x7fca2ab1e5a5 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:293:11
#21 0x7fca2ab1535d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3804:11
#22 0x7fca2ab11ccb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3151:5
#23 0x7fca2ab08b94 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2689:7
#24 0x7fca2ab01951 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1401:3
#25 0x7fca2ab4daf4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#26 0x7fca2ab4c8dd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:750:5
#27 0x7fca2ab4daf4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#28 0x7fca2ac31f71 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:653:3
#29 0x7fca2ac337a5 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:767:3
#30 0x7fca2ac376f8 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1154:3
#31 0x7fca2aaf2121 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:946:14
#32 0x7fca2aaf178b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:299:7
#33 0x7fca2a918e4c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9308:11
#34 0x7fca2a92b957 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9481:24
#35 0x7fca2a92a3d3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4158:11
#36 0x7fca2a8bb2a7 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2071:20
#37 0x7fca2a8c9be6 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#38 0x7fca2a8c9be6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#39 0x7fca2a8c97e5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#40 0x7fca2a8c8812 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:828:5
#41 0x7fca2a8c8812 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:16
#42 0x7fca2a8c7991 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:645:9
#43 0x7fca2b02c389 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#44 0x7fca24025dc0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#45 0x7fca23ae7870 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5970:32
#46 0x7fca233fe1c0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
#47 0x7fca233f9376 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
#48 0x7fca233fb8c4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
#49 0x7fca233fc7a0 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
#50 0x7fca2213aaf0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#51 0x7fca2214591c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#52 0x7fca23409dff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#53 0x7fca232fce27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#54 0x7fca232fce27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#55 0x7fca232fce27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#56 0x7fca2a42a528 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#57 0x7fca2df7c076 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
#58 0x7fca232fce27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#59 0x7fca232fce27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#60 0x7fca232fce27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#61 0x7fca2df7b72a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
#62 0x55bfba2949d3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#63 0x55bfba2949d3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#64 0x7fca450dbb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#65 0x55bfba1ea37c in _start (/home/icewall/tools/fuzzing/browsers/firefox/firefox+0x9c37c)

Expected results:

.

$ hg id -i
da2b1829e1fd
$ uname -a
Linux ubuntu 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Status: UNCONFIRMED → NEW
Component: Untriaged → Layout: Grid
Ever confirmed: true
Keywords: bugmon, crash, testcase
Product: Firefox → Core

Probably a regression from bug 1341507 given that the testcase uses multiple track values inside a repeat(auto-fill).

Flags: needinfo?(emcdonough)
Keywords: regression
OS: Unspecified → All
Priority: -- → P2
Regressed by: 1341507
Hardware: Unspecified → All
Has Regression Range: --- → yes
See Also: → 1630789
Assignee: nobody → emcdonough
Status: NEW → ASSIGNED

Resetting severity to default of --.

Keywords: bugmon

Just waiting on code review.

Flags: needinfo?(emcdonough)
Crash Signature: [@ InvalidArrayIndex_CRASH | nsGridContainerFrame::LineNameMap::GetLineNamesAt]

This only occurred when a grid with a repeat with multiple values was used.
Also Add crashetests for this case, and update some comments on LineNameMap's
fields while we are here.

Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0c1494c8c04a
Fix incorrect grid template size in the line name map r=mats
Attachment #9146337 - Attachment is obsolete: true

Backed out changeset 0c1494c8c04a (bug 1629575) by alaskanemily's request

Backout link: https://hg.mozilla.org/integration/autoland/rev/6da1d9c3a9c2822cf85de9c559d58cce81a167ef

Flags: needinfo?(emcdonough)
Attachment #9141120 - Attachment description: Bug 1629575 - Fix incorrect grid template size in the line name map → Bug 1629575 - [css-grid] Initialize LineNameMap::mTemplateLinesEnd correctly also when a repeat(auto-fill/fit) has more than one track.
Flags: needinfo?(emcdonough)
Pushed by rmaries@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/594bfcb374fd
[css-grid] Initialize LineNameMap::mTemplateLinesEnd correctly also when a repeat(auto-fill/fit) has more than one track. r=mats
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78

Comment on attachment 9141120 [details]
Bug 1629575 - [css-grid] Initialize LineNameMap::mTemplateLinesEnd correctly also when a repeat(auto-fill/fit) has more than one track.

Beta/Release Uplift Approval Request

  • User impact if declined: CSS grids with a template that has a repeat(auto-fill/fit) of more than one track, and that has a grid item with a line name not present in the grid template will crash.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is relatively small, and the area of code is covered by existing web platform tests and now additional crashtests
  • String changes made/needed:
Attachment #9141120 - Flags: approval-mozilla-beta?

Comment on attachment 9141120 [details]
Bug 1629575 - [css-grid] Initialize LineNameMap::mTemplateLinesEnd correctly also when a repeat(auto-fill/fit) has more than one track.

Fix for a 76 regression, the number of crashes is small but almost all the signatures are on 77 and it also adds tests. Let's take it in Beta while we are still early in the cycle, thanks.

Attachment #9141120 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: